Measurement probe systems for co-ordinate positioning apparatus

ABSTRACT

A measurement probe, such as a touch trigger measurement probe, is described that comprises a measurement portion for measuring an object and a data transfer portion for receiving data from and/or transmitting data to an associated unit. The measurement device also comprises an authentication module for verifying the authenticity of the associated unit. The authentication module may include a processor for running a one-way hash algorithm. Authenticity may be established using a challenge and response authentication process.

CROSS-REFERENCE TO PRIOR APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.12/216,609, filed on Jul. 8, 2008, which claims the benefit of U.S.Provisional Patent Application No. 60/996,984, filed on Dec. 13, 2007and claims priority to European Patent Application No. 07252965.4, filedon Jul. 26, 2007, the disclosures of which are incorporated herein byreference.

BACKGROUND

i) Field of the Invention

The present invention relates to measurement devices that comprise anauthentication module for verifying the authenticity of an associatedunit and in particular to measurement systems that comprise ameasurement probe mountable to co-ordinate positioning apparatus.

ii) Description of Related Art

Measurement probes for use with co-ordinate positioning apparatus, suchas co-ordinate measuring machines, machine tools, inspection robots etc,are known. Examples of such measurement probes are described in U.S.Pat. No. 4,153,998, WO2004/57552 and WO2007/28964.

To offer flexibility to users, measurement devices for use withco-ordinate positioning apparatus are often produced and sold asdiscrete modular units that are combined to establish a system that canperform the required measurement task. For example, a range of differentmeasurement probes are often produced for use with a number ofmeasurement probe interfaces. An appropriate measurement probe and probeinterface can then be used in combination by an end user. For machinetool based probing applications, data transfer between the measurementprobes and probe interface may take place over a wireless (e.g. RF oroptical) link using a communications protocol such as that described inWO2004/57552 or WO2007/28964.

Although providing such modular apparatus offers the advantage ofincreased flexibility, it has the disadvantage that ill-informed usersmay attempt to combine measurement probe products that are in some wayincompatible. Furthermore, the communication protocols of existingwireless communication systems can typically be easily copied therebyallowing third parties to produce devices that attempt to mimic genuinedevices. The quality of such third party devices can be highly variableand the compatibility of such devices with genuine articles is typicallynot properly tested. The combination of incompatible apparatus, or theuse of apparatus from unauthorised third party manufacturers, can thusresult in measurement systems being established that do not provide anacceptable level of measurement accuracy.

SUMMARY OF THE INVENTION

According to a first aspect of the present invention, a measurementprobe system is provided that comprises a measurement probe mountable toco-ordinate positioning apparatus, the measurement probe comprising ameasurement portion for measuring an object. The measurement probesystem also comprises a data transfer portion for receiving data fromand/or transmitting data to an associated unit and is characterised inthat it comprises an authentication module for verifying theauthenticity of the associated unit.

The present invention thus relates to a measurement probe systemcomprising a measurement probe that can be mounted to co-ordinatepositioning apparatus, such as a machine tool, co-ordinate measuringmachine (CMM) or inspection robot etc. The measurement probe has ameasurement portion for use in measuring properties of an object, suchas the location of points on the object surface or dimension(s) of theobject. The measurement probe system also comprises a data transferportion that allows data to be passed to and/or read from an associatedunit and includes an authentication module for checking that theassociated unit which is communicating with the data transfer portion isauthentic. As explained in more detail below, if the authenticity of theassociated unit is confirmed the measurement probe system may allow data(e.g. firmware updates, trigger counts, operational instructions etc) tobe loaded and/or measurement data from the measurement portion may betransmitted to the associated unit.

In this manner, the present invention ensures that any associated unitis authentic. This means that there is no requirement for a user to haveto check or verify that an associated unit is fully compatible with themeasurement probe system. Furthermore, it prevents third partiesmanufacturing associated units that can mimic the operation of anauthentic device. In this manner, it is guaranteed that the measurementprobe system is always used with fully compatible apparatus therebyensuring the required levels of measurement accuracy are maintained.

Advantageously, the authentication module comprises a processor that, inuse, runs an encryption algorithm. The processor is advantageously astand-alone chip or circuit but may also be used for other processingtasks if required. Conveniently, the encryption algorithm is a one-wayhash algorithm, such as the SHA-1 algorithm developed by the NationalInstitute of Standards and Technology (NIST) of the USA. Although SHA-1is a suitable algorithm, it should be noted that many alternativealgorithms are available and could be used if required. Theauthentication module conveniently comprises a random data stringgenerator which, as described in more detail below, can greatly increasethe security of a challenge and response authentication process. Asecure memory for storing a secret key may also be provided, the securememory being inaccessible externally after the key has been entered.

Advantageously, the authentication module verifies the authenticity ofthe associated unit using a challenge and response process. Thechallenge and response process conveniently confirms that the associatedunit holds the same secret key as the secure memory of theauthentication module without disclosing the secret key.

The challenge and response process is described in more detail below andcomprises the authentication module of the measurement probe systemcommunicating with a similar authentication module of the associatedunit. The authentication modules of the measurement probe system and theassociated unit both combine the same data (e.g. a message and a randomdata string) with their secret key and use the SHA-1 algorithm togenerate a message authenticity code (MAC). If the measurement probesystem receives the same MAC from the associated unit as it hascalculated internally, it can be sure that the associated unit storesthe same secret key as the measurement probe system. In this manner, theauthenticity of the associated unit can be verified by the measurementprobe system.

The associated unit may be located remotely to the measurement probesystem and a wireless link provided for communication therebetween. Thedata transfer portion thus conveniently comprises a transmitter and/or areceiver for providing a wireless communications link with an associatedunit. The data transfer portion may thus provide an optical, RF or othersuitable type of wireless communications link as required.Alternatively, the data transfer portion may comprise at least oneelectrical contact for providing a conductive electrical connection withan associated unit. In such an example, the associated unit may bebrought into electrical contact with the electrical contact(s) of themeasurement probe system as and when required. If the data transferportion and any associated electrical contacts are provided on themeasurement probe, a cover or lid may be provided to protect suchcontacts and/or any attached associated unit from physical damage.

Advantageously, the measurement portion generates measurement data fortransmission to an associated unit by the data transfer portion, whereinthe data transfer portion only transmits the measurement data if theauthentication module has verified the presence of an authenticassociated unit. For example, the associated unit may be a probeinterface for conveying measurement data to a computer controller. Insuch an example, the measurement probe is only operable if the probeinterface is confirmed as authentic. Alternatively, the measurementprobe system may also comprise the probe interface and the associatedunit may comprise a computer controller (e.g. a numeric controllerand/or personal computer). In such an example, the probe interface maypass measurement data to the computer controller only if the computercontroller (or a hardware component, such as a dongle, attached to thecomputer controller) is confirmed as authentic. In a further embodiment,the measurement probe system may comprise the measurement probe, a probeinterface and a portion of a computer controller. In this case, theassociated unit may comprise a further portion of the computercontroller and optionally hardware (e.g. a dongle) connected to thecomputer controller. Measurement data may then only be passed from ameasurement program running on the computer controller to a furtherprogram that uses such data if the associated unit (e.g. the dongle) isconfirmed as being authentic.

As well as, or instead of, receiving measurement data the associatedunit may comprise data that can be transferred to the measurement probesystem. For example, the associated unit may comprise an activationbutton, smart card, control fob or similar that includes a store oftrigger credits or contains updates to the software that is being run bythe measurement probe system. In other words, data may be stored by theassociated unit. The associated unit may thus be advantageously arrangedto transmit information relating to operation of the measurement probesystem. Conveniently, any such transmitted information is only actedupon by the measurement probe system if the authentication module hasverified that the associated unit is authentic. In this manner, it canbe assured that any data that is uploaded to, and acted upon, by themeasurement probe system is authentic.

The measurement probe may be of contact or non-contact type. If acontact measurement probe is provided, the measurement portion maycomprise a deflection measurement mechanism and/or a deflectable stylus.The measurement probe may be a touch trigger probe that issues a triggersignal whenever stylus deflection exceeds a certain threshold.Alternatively, the measurement probe may be an analogue or scanningprobe in which the amount of stylus deflection is measured (e.g. usingstrain gauges) and an output is provided containing information aboutthe position of the stylus tip relative to the body of the measurementprobe. In either case, the stylus may be releasably retained by a stylusholder that forms part of the deflection measurement mechanism therebyallowing stylus replacement.

The measurement probe system described above may comprise solely ameasurement probe. In such an example, the measurement probe preferablycomprises the data transfer portion and the authentication module.Alternatively, the measurement probe system may also comprise one ormore additional components. For example, the system may convenientlycomprise one or more of a probe interface, a numeric controller and acontrol computer. In such an example, the data transfer portion and theauthentication module may be distributed over different components ofthe system.

The present invention also extends to a measurement kit that includes ameasurement probe system of the type described above and an associatedunit. The associated unit and measurement probe system preferably bothstore an identical (secret) key. Advantageously, the associated unit isa probe interface for receiving (e.g. over a wireless link) measurementdata from the measurement probe of the measurement system. Conveniently,the associated unit stores information (e.g. trigger count or otheroperational data) to be transmitted to the measurement probe.

A measurement probe system is thus described herein that comprises ameasurement probe having a measurement portion for measuring an objectand a data transfer portion for receiving data from and/or transmittingdata to an associated unit, wherein the system also comprises aprocessor that, in use, runs an encryption algorithm. An authenticationprocess or a full data encryption architecture may be provided.

According to a second aspect of the invention, a probe interface isprovided for a measurement probe system comprising a measurement probehaving a data transfer portion as described above. The probe interfacealso comprising a complimentary data transfer portion for receivingmeasurement data from a measurement probe and an output portion foroutputting the measurement data, characterised in that the interfacecomprises an authentication module for verifying the authenticity of themeasurement probe.

According to a third aspect of the invention, a method of measurementprobe system operation comprises the steps of: (i) using a measurementprobe system to measure an object and (ii) receiving data from and/ortransferring data to an associated unit, characterised in that themethod comprises the further step (iii) of verifying the authenticity ofthe associated unit.

According to a further aspect of the invention, a measurement probe forco-ordinate positioning apparatus is provided, the measurement probecomprising; a measurement device for generating measurement dataindicative of the position of at least one point on the surface of anobject; a communications device for communicating with a remote probeinterface; and an authentication device for determining if the remoteprobe interface is an authentic remote probe interface, wherein thecommunications device passes the measurement data to the remote probeinterface only when the authentication device has determined that theremote probe interface is an authentic remote probe interface.

Advantageously, the authentication device comprises a secure memory forstoring a secret key. The authentication device may thus determine theauthenticity of a remote probe interface using a challenge and responseauthentication process, the challenge and response authenticationprocess confirming that a remote probe interface holds the same secretkey as is held in the secure memory of the authentication module. Such achallenge and response authentication process preferably does notdisclose the secret key.

According to a further aspect of the invention, a measurement probe forco-ordinate positioning apparatus is provided, the measurement probecomprising; a measurement device for measuring an object; an interfacefor providing a data connection with an associated data storage unit; acommunications device for receiving data from an associated data storageunit connected to the interface; an authentication device fordetermining if a data storage unit connected to the interface is anauthentic data storage unit; wherein data stored on a data storage unitconnected to the interface is used by the measurement probe only whenthe authentication device has determined that the data storage unitconnected to the interface is an authentic data storage unit.

Advantageously, the communications device receives data from anassociated data storage unit that comprises at least one of a triggercount value, a probe operation time value, a probe operating instructionand a firmware update. Preferably, the authentication device comprises asecure memory for storing a secret key. Conveniently, the authenticationdevice determines the authenticity of a data storage unit using achallenge and response authentication process, the challenge andresponse authentication process confirming that a data storage unitholds the same secret key as is held in the secure memory of theauthentication module. Such a challenge and response authenticationprocess preferably does not disclose the secret key.

Although a measurement probe system is described in detail above, thearrangement described herein may also be applied to many different typesof measurement apparatus; e.g. the measurement portion may comprise aRaman spectrometer or similar for acquiring data from objects providedin the form of samples. A measurement device is thus described hereinthat comprises a measurement portion for measuring an object and a datatransfer portion for receiving data from and/or transmitting data to anassociated unit, wherein the device comprises an authentication modulefor verifying the authenticity of the associated unit. The measurementdevice may comprise so-called dimensional measurement devices formeasuring a physical dimension of an object (e.g. measurement probes,optical position encoders etc) or non-dimensional measurement devicesfor measuring a property of an object other than a dimension (e.g. Ramanspectrometers, Fourier transform infrared spectrometers etc).

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described, by way of example only, withreference to the accompanying drawings in which;

FIG. 1 shows a measurement probe and activation button according to thepresent invention;

FIG. 2 shows the components of the activation button in more detail;

FIG. 3 illustrates the principles behind a two-way authenticationprocess;

FIG. 4 shows a measurement probe kit for use on a machine tool;

FIG. 5 shows an integrated battery and activation button holder,

FIG. 6 shows a measurement probe having a slot for receiving a smartcard,

FIG. 7 shows a measurement probe having an integral memory for storing atrigger count value,

FIG. 8 shows a measurement probe and an associated activation fob,

FIG. 9 illustrates two-part measurement probe apparatus;

FIG. 10 shows a measurement probe storing a plurality of trigger countrelease codes; and

FIG. 11 illustrates application of the invention to non-dimensionalmeasurement apparatus.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Referring to FIG. 1, a measurement probe 2 of the present invention isshown. The measurement probe 2 is a so-called touch trigger probe havinga deflectable stylus 4 releaseably attached to a deflection measurementunit 6. The deflection measurement unit 6 is of known type and comprisesa stylus holder mounted to the measurement probe housing via a set ofballs and rollers. Deflection of the stylus causes disengagement of theballs from the rollers thereby breaking an electrical circuit andproducing a so-called trigger signal. The measurement probe 2 comprisesa wireless (RF) communications unit 8 for transmitting trigger signaldata to a remote probe interface (not shown) in a known manner. Althougha wireless RF link is described herein, it should be noted that any typeof wired or wireless link may be used. For example, the RFcommunications unit 8 could be substituted for an optical communicationsunit.

The measurement probe 2 also comprises a deactivation device 10. Thedeactivation device 10 is arranged to prevent normal operation of themeasurement probe if certain criteria are not met. Deactivation of themeasurement probe may be implemented in a number of ways. For example,the deactivation device 10 could force the measurement unit 6 to powerdown or enter some kind of standby mode. Alternatively, the measurementprobe could continue to produce trigger signals as normal but thetransfer of trigger signal data to the remote interface via the wirelesscommunications unit 8 could be blocked. In short, the deactivationdevice 10 is arranged to stop normal measurement probe operation therebymaking the measurement probe inoperable. The measurement probe alsoincludes an authentication module 13 that comprises an authenticationdevice 12 and associated electronic memory 14. An externally accessibleelectrical connection pad 16 is also provided that allows electricalconnections between the authentication module 13 and an associatedactivation button 18 to be established. It should be noted that themeasurement probe will typically include various additional components(e.g. filtering or data processing electronics, batteries etc) but theseare not shown for clarity.

Referring now to FIG. 2, the activation button 18 is shown in moredetail. The activation button 18 includes an authentication module 19comprising an authentication device 20 and an electronic memory 22. Thememory 22 comprises a permanent memory portion 24 and a rewritablememory portion 26 for storing a trigger count value.

Referring to both FIGS. 1 and 2, operation of the measurement probe 2with an activation button 18 attached will be described.

Firstly, a two-way authentication process is used to verify theauthenticity of the measurement probe 2 and the activation button 18.Details of a suitable authentication technique are described in moredetail below with reference to FIG. 3, but the basic principle is that asecret key is stored in the electronic memories 14 and 24 of themeasurement probe 2 and the activation button 18. The authenticationdevice 12 of the measurement probe 2 and the authentication device 20 ofthe activation button 18 communicate with one another to perform anauthentication check which, without disclosing the secret key, confirmsthat the electronic memories of the measurement probe 2 and theactivation button 18 hold the same secret key.

Once the measurement probe 2 has established that an authenticactivation button 18 is attached to its external electrical connectionpad 16, the trigger count value stored in the rewritable memory portion26 of the activation button is read by the measurement probe. If thetrigger count value is non-zero, the deactivation device 10 permitsnormal measurement probe operation. Thereafter, the trigger count valuestored in the rewritable memory portion 26 is decremented by one foreach trigger signal that is generated by the measurement probe. Itshould be noted that the trigger count value stored in the rewritablememory portion 26 of the activation button 18 may be decremented aftereach trigger signal is issued or the measurement probe 2 may have somekind of temporary memory buffer (e.g. part of the memory 14) for storingtrigger counts and means for periodically updating the main triggercount value stored in the rewritable memory portion 26 of the associatedactivation button. For example, the trigger count value stored in therewritable memory portion 26 may be updated at regular time intervals orwhenever a certain number (e.g. ten, fifty, one hundred etc) of triggersignals have been issued by the measurement probe. The use of a memorybuffer within the measurement probe reduces the required number ofupdates to the value stored in the rewritable memory portion 26 of theactivation button. However, any buffer is preferably not too largebecause the main count stored by activation button may not bedecremented properly if the activation button is removed prior to anupdate event.

A measurement probe of the present invention thus operates normally inthe presence of an activation button 18 containing a non-zero triggercount; i.e. the measurement probe issues a trigger signal whenever thestylus is deflected. However, removal of the activation button 18 or thereduction of the stored trigger count to zero causes the deactivationdevice 10 to stop normal probe operation thereby preventing measurementsbeing made with the measurement probe. In this manner, the operationallifetime of the measurement probe can be set by a manufacturer. Forexample, a measurement probe may be sold with an activation button thatstores a certain trigger count value (e.g. five or ten thousand triggercounts). After the trigger count is expended, a further activationbutton may be obtained from the manufacturer to reactivate themeasurement probe. The new activation button may be provided withinstructions for verifying the measurement probe is operating within thenecessary tolerances and/or any appropriate firmware updates for themeasurement probe may be provided with the replacement activationbutton. In this manner, the requirement to periodically refresh themeasurement probe can also have the advantage of forcing a user toperiodically update or check the operational performance of themeasurement probe thereby ensuring the required measurement accuracy ismaintained.

Although FIG. 1 illustrates a measurement probe 2 having anauthentication module 13, an electrical contact pad 16 and adeactivation device 10, it should be noted that such components mayalternatively or additionally be provided as part of the remote probeinterface. In such an example, the measurement probe may pass allmeasurement data to such a probe interface and the probe interface maythen only pass on measurement data (e.g. to a machine controller) if anauthentic activation button storing a non-zero trigger count is attachedto its electrical contact pad. As a further alternative, the measurementprobe may include the authentication module and an electrical contactpad for reading a trigger count from an activation button whilst theprobe interface may comprise a deactivation device. The data transmittedby the probe to the interface may then contain information thatindicates whether an authentic activation button storing a non-zerotrigger count is attached to the electrical contact pad of themeasurement probe. If the measurement probe provides an indication thatthere is no authentic activation button storing a non-zero trigger countattached thereto, the deactivation device of the probe interface may bearranged to prevent the output of any measurement data.

It should be noted that although the above examples work by storing anddecrementing a trigger count value, other values could be stored andmeasured. For example, the measurement probe could include a clock thatmeasures the length of time that the measurement probe is activelyoperating. In such an example, the activation button could then includea certain operational time value that is decremented by the operationaltime value accrued as the measurement probe operates. A combination oftime and trigger count values could also be used. For example, theactivation button could store separate counts related to the time ofoperation and the number of triggers. The deactivation device 10 couldthen allow normal measurement probe operation until the stored triggercount or the stored time of operation count is expended. It should alsobe noted that the trigger count could alternatively increment with useand the deactivation device could stop normal operation when a maximumcount value is reached. Although the above described activation buttonincludes a memory for storing some kind of count or time value this isby no means essential. The activation button could, for example,alternatively comprise a clock or similar that separately measureselapsed time.

Referring now to FIG. 3, the basic principle of the two wayauthentication technique employed by the apparatus described withreference to FIGS. 1 and 2 is illustrated.

As outlined above, the measurement probe 2 and the activation buttoneach include an authentication device. Each authentication device runsthe SHA-1 algorithm developed by the National Institute of Standards andTechnology (NIST) of the USA. The SHA-1 algorithm is a so-called one-wayhash function that generates a fixed length Message Authentication Code(MAC) from input data. The SHA-1 algorithm has the properties of beingirreversible; i.e. it is computationally infeasible to determine theinput that corresponds to a generated MAC. The algorithm is alsocollision-resistant such that it is impractical to find more than oneinput message that produces a given MAC. Furthermore, the algorithm hasa high avalanche effect meaning that any minor change in the inputproduces a significant change in the MAC that is generated. Although useof the SHA-1 algorithm is described in detail herein, it should be notedthat many alternative algorithms could be used to implement similartypes of authentication.

The two-way authentication process, which can also be termed challengeand response authentication, relies on the measurement probe andactivation button both storing the same secret key in a secure (i.e.externally inaccessible) memory. When authentication is required, forexample when an activation button is located in the electrical contactpad 16 of the measurement probe, the activation button sends messagedata (e.g. the activation button serial number plus the stored triggercount value) to the measurement probe. The message data contains nosecret information and there is no threat to the security of theauthentication process if the message is intercepted. The measurementprobe responds by sending a random data string as a “challenge” to theactivation button.

The measurement probe then applies its SHA-1 algorithm to an input thatincludes the secret key, the message data and the random data string andproduces a MAC therefrom; this MAC can be termed MAC1. The activationbutton takes the same input data (i.e. the secret key, the message dataand the random data string) and uses its SHA-1 algorithm to generate aMAC; this MAC can be termed MAC2. The measurement probe then comparesMAC1 and MAC2. If MAC2 matches MAC1 it is certain (to a very high levelof confidence) that the same secret key is stored by both themeasurement probe and the activation button. The measurement probe thenassumes that the activation button is genuine. It should be reemphasisedthat the authentication process does not compromise the secrecy of thesecret key; i.e. the secret key itself is never passed between devices.

A similar two-way authentication check is also performed before data iswritten to the rewritable memory 26 of the activation button 18. In sucha process, the activation button 18 generates the random number andperforms the MAC comparison. This authentication process prevents thesecurity of the activation button 18 being compromised by ensuring thatonly an authentic device (such as measurement probe 2) can alter thestored trigger count value. In other words, the authentication checkguards against unauthorised users tampering with the trigger count valuethat is stored by the activation button 18.

A number of authentication devices suitable for incorporation into ameasurement probe are available commercially and are described in moredetail elsewhere. For example, suitable apparatus is the Maxim/Dallasi-button available from Maxim Integrated Products Inc, Sunnyvale,Calif., USA.

Referring to FIG. 4, measurement kit for use with a machine tool isillustrated. The measurement kit comprises a spindle mountablemeasurement probe 40, a table top (tool setting) measurement probe 42and a probe interface 44. The spindle measurement probe 40 and the tabletop measurement probe 42 (which are hereinafter collectively termed themeasurement probes) communicate with the probe interface 44 over awireless radio frequency (RF) link. The measurement probes 40 and 42 areboth touch trigger probes that issue a trigger signal whenever stylusdeflection exceeds a certain threshold value. The trigger signal can beused to freeze machine position information; e.g. the location of thespindle can be determined in the x, y and z machine co-ordinates systemas measured by machine position encoders. The spindle mountablemeasurement probe 40 has a spindle mountable shank 39 and a stylushaving a ruby ball tip 41; this allows points to be measured on thesurface of a workpiece. The table top measurement probe 42 has a toolsetting cube 43 mounted to its stylus tip and is used to determine theposition of cutting tools held by the machine tool spindle. For clarity,the associated machine tool on which such apparatus could be used is notshown in FIG. 4.

In order to overcome the various problems associated with hardwiredmeasurement probe systems, the interface 44 communicates with themeasurement probes 40 and 42 via a spread spectrum wireless RF link. Toallow multiple systems to operate side by side, each measurement probeprefixes all of its data transmissions with a probe identification (ID)code. An initial “pairing” procedure is performed in which the interface44 learns the ID code of the measurement probe that is intended for usewith that particular interface. After pairing, the interface 44 willonly process received data that contains the ID code of the pairedmeasurement probe thereby ensuring that data transmissions are ignoredthat originate from any other measurement probes (i.e. probes havingdifferent ID codes) that may be in the vicinity. Once paired, themeasurement probe and interface will frequency hop in a predefinedmanner to mitigate the effects of noise from other RF sources. Moredetails about the spread spectrum, or frequency hopping, communicationslink are outlined in WO2004/57552. A variant of WO2004/57552 is alsodescribed in detail in PCT application WO2007/28964. The apparatus ofWO2007/28964 allows multiple probes to be paired to a single interfaceby allowing the probe IDs of a measurement probe to be set by a user orby allowing the interface to recognise transmissions that contain anyone of a plurality of different ID codes. Such an arrangement allows twoor more probes to be used (non-concurrently) with a single interface.

To implement the frequency hopping RF link mentioned above, the spindlemounted measurement probe 40 and the table top measurement probe 42 eachcomprise wireless communications units 46 a-46 b. The interface 44includes a corresponding wireless communications unit 48 forcommunicating with the communications unit 46 of a measurement probe. Innormal use, the wireless communications units 46 and 48 allow datatransfer between any one of the measurement probes 40 and 42 and thepaired interface 44 in the known manner outlined above.

The interface 44, spindle measurement probe 40 and table top measurementprobe 42 contain authentication modules 50 a-50 c. Each authenticationmodule 50 comprises an authentication device 52 for running the SHA-1hash algorithm, a secure memory portion 54 for storing a secret key anda random data string generator 56. The interface 44 and the measurementprobes 40 and 42 also comprise deactivation devices 58 a-58 c forinhibiting normal operation. As outlined above, deactivation may beimplemented in various ways; for example, a deactivated measurementprobe may not transmit trigger signals via the wireless communicationsunit whilst a deactivated interface may not output any data on itstrigger signal output line 60.

In use, a set-up routine is performed in which a measurement probe (e.g.spindle mountable probe 40) and the interface 44 are placed in “pairing”mode. In common with systems of the type described in WO2004/57552, thepairing procedure involves the measurement probe repeatedly transmittingits ID code. The interface searches for any ID codes transmitted by anunpaired probe and, when the relevant measurement probe ID code isreceived, it is stored by the interface. After pairing, the interfaceignores any data it receives that does not contain the stored ID code.As outlined in WO2007/28964, the interface may also be paired with afurther measurement probe (e.g. the table top measurement probe 42) bystoring a second probe ID code or by loading the stored probe ID codeinto the further measurement probe. It can be seen that a potentialweakness of such a pairing procedure is that it allows any components tobe paired so long as the requirements of the communication protocol aremet. The communications protocol can, however, be easily copied whichwould allow replica or incompatible measurements probes and/orinterfaces to be used with genuine ones. This can seriously andunpredictably degrade the measurement performance of the kit.

As outlined above, the probes and interfaces of FIG. 4 also includeauthentication modules 50 having a secure memory portion 54 in which asecret key is stored. After a measurement probe has been paired with theinterface, an authentication step is performed in which the measurementprobe verifies that the interface is authentic (i.e. that it stores thesame secret key) and vice versa. The challenge and responseauthentication process is analogous to that described with reference toFIG. 3, with each authentication device 52 applying its SHA-1 algorithmto input data that includes the secret key stored in its associatedsecure memory portion 54, a message (e.g. the probe ID code) and arandom data string generated by one of the random data string generators56. Exchanges of the MACs, messages and random data strings areperformed using the wireless communications units 46. If the measurementprobe or interface confirms, by comparing self-generated and receivedMACs, that it has been paired with a genuine counterpart (i.e. acounterpart storing the same secret key) normal operation of theapparatus is permitted. However, if a probe or interface fails toestablish the authenticity of its counterpart, the deactivation device58 prevents normal operation.

The authentication process described above may be performed only afterpairing, each time a measurement probe is turned-on, at predeterminedtime intervals and/or during periods in which measurements are not beingacquired. If required, the authentication process may also be performedbefore the pairing operation. In this manner, it is ensured thatauthentic measurement probes only ever operate normally with authenticinterfaces and vice versa. An apparatus of this type can thus guarantee,to a high level of certainty, that only fully compatible measurementprobes and interfaces can be used in combination. Providing anauthentication process of this type thus prevents an interface beingused with a certain type of measurement probe if that interface isunable to properly process the measurement probe data it receivesbecause, for example, the format of the received data differs to thatexpected by the interface or requires the application of differentprocessing techniques. The authentication process thus means that, forexample, a manufacturer can provide different ranges of measurementprobes and interfaces that use the same communications protocols.Compatible equipment can be assigned a common secret key, whilst it isensured that incompatible equipment stores different secret keys. Inthis manner, the user is unable to use incompatible equipment incombination thereby reducing the chances of apparatus malfunction and/orthe introduction of unacceptably large measurement errors. Such anarrangement also prevents third party, possibly inferior quality,equipment being used with authentic devices which again ensures thatmeasurement accuracy is not compromised.

Although by no means essential, the measurement probes 40 and 42 shownin FIG. 4 may be measurement probes of the type described above withreference to FIG. 1. In particular, each measurement probes may comprisea deactivation device (which may be the same or different to thedeactivation device 58) that only permits normal probe operation if anauthentic activation button storing a non-zero trigger count value isattached to an electrical connection pad provided on the measurementprobe. In such an arrangement, the kit will only operate normally if theinterface and measurement probes are authentic and if the measurementprobes each have an authentic activation button attached thereto thatcontains a non-zero trigger count.

The measurement probe described with reference to FIG. 1 includes anexternal electrical connection pad 16 for receiving an activationbutton. In certain circumstances it is, however, preferable for theactivation button to be sealed inside the measurement probe during use.This ensures that the activation button does not become accidentallydetached from the measurement probe or damaged; this may occur, forexample, during the process of loading a spindle probe into the machinetool spindle using an automated tool change device. A measurement probemay thus be provided that includes a separate, preferably sealable,compartment for receiving the activation button. Alternatively, thebattery retaining compartment of the measurement probe may be adapted toalso hold the activation button as will now be described in more detail.

Referring to FIG. 5, a battery holder 70 for a measurement probe isillustrated. The battery holder 70 includes a compartment 72 in whichbatteries 74 are located. In addition, a slot 76 is provided in which anactivation button 18 can be placed. Electrical contacts 78 are alsoprovided for establishing the necessary electrical connections betweenthe batteries and activation button and the electronics of themeasurement probe. A locking mechanism 80 may also be provided tosecurely retain the battery holder 70 in the probe body. Thisarrangement ensures good electrical contact is maintained even in aharsh operating environment and also prevents damage to the activationbutton.

The battery holder of FIG. 5 also has the advantage that removal of theactivation button also requires removal of the batteries. This ensuresthat the probe is powered down whenever the activation button isremoved. In such apparatus, the authentication process need only beperformed on power-up of the measurement probe because it is impracticalto remove or replace the activation button after the measurement probehas been switched on.

It is important to note that the use of an activation button asdescribed above provides a convenient way to implement the invention butis by no means the only solution. In other words, the use of anactivation button of the type described above is advantageous but by nomeans essential. Many alternative types of device could be used tosecurely store a trigger count and implement some kind of authenticationor encryption technique. For example, a smart card or other similardevice may be used.

Referring to FIG. 6, a measurement probe 90 is illustrated thatcomprises a slot 92 for receiving a smart card 94. The slot 92 may besealable. The smart card 94 includes a memory to store a secret key, aprocessor for implementing the SHA-1 algorithm and a rewritable memoryfor storing a trigger count value. The measurement probe containscomplimentary apparatus such that a challenge and responseauthentication process of the type described above can be carried outbetween the measurement probe and smart card. If required, the slot 92for the smart card may be formed as part of the battery holder therebyphysically protecting the card from damage.

The measurement probes described above are arranged to operate only whenan activation button, smart card or similar device storing a triggercount data is attached to the probe. It is, however, also possible forthe measurement probe itself to comprise a rewritable memory that storesthe trigger count value. The activation button (or similar) is then onlyrequired when the trigger count stored in the probe needs to rechargedor refreshed.

Referring to FIG. 7, a measurement probe 100 is shown that is a variantof the measurement probe of FIG. 1. In common with the measurement probedescribed with reference to FIG. 1, the measurement probe 100 comprisesa deflectable stylus 4 attached to a deflection measurement unit 6, awireless communications unit 8 for communicating with a remote interfaceand a deactivation unit 10. An electrical connection pad 16 provides aconnection to an associated activation button 118.

The measurement probe also comprises an authentication module 113comprising an authentication device 112 and a memory 114. The memory 114stores a secret key in a permanent memory portion 114 a and alsoincludes a rewritable portion 114 b for storing a trigger count value.In use, the deactivation unit 10 only permits normal measurement probeoperation when the trigger count value stored in the rewritable memoryportion 114 b is non-zero. Each time a trigger signal is generated, thecount stored in the rewritable memory portion 114 b is decrementedaccordingly. Once the stored trigger count value reaches zero, normalmeasurement probe operation is inhibited by the deactivation unit 10.

In order to reactivate the measurement probe, an activation button 118storing a non-zero trigger count is placed in contact with theelectrical contact pad 16. The above described authentication process isthen used to ensure that both the measurement probe and the activationbutton contain the same secret key. Once authenticity has beenestablished, trigger counts are transferred or loaded from theactivation button to the measurement probe. In other words, the triggercount stored in the rewritable memory of the activation button isdecremented by a certain value and, at substantially the same time, thetrigger count value held in the rewritable memory portion 114 b isincreased by that value. Following the loading of trigger counts, theactivation button can be removed from the measurement probe. In thismanner, trigger count credits are transferred in bulk from theactivation button 18 to the measurement probe 100 thereby allowingcontinued operation of the measurement probe until the new trigger countis expended.

The measurement probe 100 may be configured to take all the triggercounts that are stored in the activation button 118. Alternatively, themeasurement probe 100 may be configured to take fewer trigger countsthan are stored in the activation button. If necessary, the transfer oftrigger counts may also be performed in the opposite direction. Forexample, trigger counts may be transferred from the measurement probe100 back to an activation button 118. Alternatively, the activationbutton 118 may be arranged such that the trigger count can only ever bedecremented. It should also be noted that the activation button 118 maybe identical to the activation button 18 and hence may also be used withthe measurement probe 2 described with reference to FIG. 1.

The activation button described above is designed to be brought intophysical contact with corresponding electrical contact pads of themeasurement probe. As mentioned above, activation buttons are simply oneway of implementing the invention and many different types of securetechnologies (smart cards etc) could be connected to the measurementprobe and used for the same purpose. Furthermore, if the measurementprobe itself is capable of securely storing trigger count values,additional methods of refreshing the trigger counts stored in themeasurement probe can be implemented.

Referring to FIG. 8, a further measurement probe 120 is shown. Themeasurement probe 120 includes a wireless communications unit 8 forpassing trigger information to a remote probe interface 122 over awireless RF link. The RF link may be as described previously inWO2004157552 or may be arranged to implement an authentication processas described above with reference to FIG. 4. The measurement probe 120also includes a further wireless communications unit 124 that isconnected to an authentication module 113 that comprises anauthentication device 112 and a secure memory 114. The physicalelectrical contact pad 16 of the measurement probe 100 described withreference to FIG. 7 is thus replaced in the measurement probe 120 by thewireless communications unit 124.

A separate fob 126 is also provided that includes a wirelesscommunications unit 128 for communicating with the wirelesscommunications unit 124 of the measurement probe 120. The communicationsunit 128 of the fob 126 is linked to an authentication module 131comprising an authentication device 130 and an electronic memory 132having a secure portion for storing the secret key and a rewritableportion for storing a trigger count value. The fob also includes aplurality of keys 134 that allow a user to control the transmissionprocess. A liquid crystal display 136 is provided for displaying fobstatus information such as the number of trigger counts remaining and/orthe number of counts to be loaded into the measurement probe.

In use, a user selects the number of trigger counts that are to beuploaded to a measurement probe using the keys 134. The fob is thenplaced in the vicinity of the relevant measurement probe 120 and a keyis pressed to initiate the trigger count upload. The challenge-responseauthentication process is performed over the wireless link to verifythat the fob 126 and the measurement probe 120 are authentic. After asuccessful authentication step, the selected number of trigger countsare transferred from the memory 132 of the fob 126 to the memory 114 ofthe measurement probe. The use of a wireless link means that themeasurement probe 120 does not have to include accessible electricalcontacts; the count stored by the measurement probe 120 can thus beupdated without having to touch or in any way access the measurementprobe.

To ensure that the probe triggers are uploaded to the desiredmeasurement probe, it is preferred that the RF communications linkbetween the fob 126 and the measurement probe 120 is a relatively shortrange link (e.g. operable only over distances of less than 20 cm or so).Alternatively, an optical link may be used instead of the RF link. If anoptical link is provided, the directionality of the transmitted lightcan be used to ensure that trigger counts are uploaded to the correctprobe. Although separate communications units are shown forcommunicating with the probe interface and the fob, it should also benoted that a single wireless communications unit may be used to performboth functions.

Although a dedicated fob 126 is described, the measurement probe may beinterfaced with a general purpose computer (e.g. a laptop or PDA) via astandard wireless communications link (e.g. Wi-Fi, Bluetooth etc) or awired link (USB, Firewire etc). In such an embodiment, the computer mayalso be interfaced to an encryption module or card that runs theauthentication check, securely stores the secret key and maintains aprobe trigger count value. In other words, an activation button or chiptype device may be provided that communicates with the measurement probevia an intermediate (general purpose) device.

Referring to FIG. 9, a two-part measurement probe 150 will now bedescribed. The measurement probe comprises an upper part 152 and a lowerpart 154. The lower part 154 comprises a stylus 156 attached to adeflection measurement unit 158. The lower part 154 also includes anauthentication module 159 comprising an authentication device 160 and anassociated memory 162. The memory 162 comprises a secure portion forstoring a secret key and a rewritable portion for storing a triggercount value. The upper part 152 comprises a wireless communications unit8 for communicating with an associated probe interface (not shown) and adeactivation device 10 for inhibiting normal operation. The upper partalso includes an authentication module 170 comprising an authenticationdevice 172 and a memory portion 174 for storing a secret key.

The upper and lower parts may be assembled to form a measurement probe.Once assembled, electrical links are provided between the upper andlower parts by appropriate sets of electrodes (not shown). Afterassembly, a challenge and response authentication process of the typedescribed above is performed in order to verify that the upper and lowerparts of the device are authentic. If authenticity is confirmed, thedeactivation device 10 allows trigger events from measurement unit 158to be output via the wireless communications unit 8 provided that thereare still trigger counts stored in the memory 162 of the lower part.Each trigger event decrements the stored count and when the triggercount value equals to zero, the deactivation device 10 of the upper part152 prevents further operation with that particular lower part 154attached. The lower part is then discarded and replaced with a new lowerpart (i.e. a lower part having stored trigger counts).

The lower part 152 can thus be considered as the combination of anactivation button to store a trigger count and the (moving) mechanicalparts of the measurement probe. All the moving parts that will wear withuse are thus contained in the (disposable) lower part of the measurementprobe, whereas the bulk of the (expensive) electronics are contained inthe re-usable upper part. The number of trigger counts initially storedin the memory of the lower part may correspond to, or be slightly lessthan, the expected operational lifetime of the stylus or deflectionmeasurement unit 158. In other words, the lower part may store a triggercount value that causes operation of the measurement probe to ceasebefore the measurement probe fails or its measurement accuracy decreasesto unacceptable levels. In this manner, the accuracy of measurementsfrom the two-part measurement probe system can be assured.

The above embodiments use an authentication process which offers a highlevel of flexibility in that any authentic components can be used incombination. For example, trigger count credits stored by activationbuttons can be transferred to any number of authentic measurement probe.This has the advantage of allowing activation buttons to be swappedbetween different measurement probes as required. Although suchflexibility in using trigger counts is advantageous, it may be desirableto provide non-transferable trigger counts in certain circumstances.

Referring to FIG. 10 an alternative measurement probe 200 isillustrated. The measurement probe 200 comprises a wireless (RF)communications unit 8 for transmitting data to a remote probe interface202. In addition, a deactivation device 204 is provided to stop normalmeasurement probe operation when the trigger counts stored in arewritable memory portion 206 are expended. The measurement probe alsoincludes a secure memory portion 208 that securely stores a number of(secret) pre-programmed codes for releasing further trigger counts.Entering a code that matches a stored code will thus increase the storedtrigger count by a certain amount. These release codes are known only tothe manufacturer and are sufficiently complex to ensure that it is notpractically possible to find such codes by a trial and error process.The codes are also unique to the particular measurement probe; themeasurement probe being identifiable by a unique probe identification orserial number.

The measurement probe 200 is thus supplied with a certain number (e.g.five or ten thousand) of trigger counts already stored in its rewritablememory. The stored trigger count reduces with probe use in the mannerdescribed above. When the trigger count reaches, or approaches, zero anappropriate release code can be acquired from the manufacturer. Entry ofa release code that matches a stored code causes the release of furthertrigger counts thereby permitting continued operation of the apparatus.Each release code can only be used once to increase the trigger count.

The measurement probe 200 also comprises an interface 210 via which therelease codes can be input. The interface may comprise one or more keysinto which a code is typed. Alternatively, the interface may comprise awireless link to a remote device (such as a fob) into which theappropriate code has been entered. Alternatively, the interface mayreceive data via a stylus deflection data entry process such as thetrigger logic technique described previously in U.S. Pat. No. 7,145,468.Alternatively, the interface may establish a link (e.g. by telephone orover the internet) to a computer server of an authentic manufacturer,distributor or retailer etc. On receipt of appropriate payment, thenecessary code may then be passed over the link to the measurement probethereby reactivating the measurement probe.

It should also be noted that measurement probes may be provided in whichthe secure memory portion storing the trigger count can not be accessedafter manufacture. In such a case, the measurement probe will only workfor the preset number of triggers before becoming permanentlyinoperable. The probe may then be disposed of, or returned to themanufacturer for refurbishment. Although the above examples describetopping up a trigger count value, it is also possible for themeasurement probe to be switched into a permanent (i.e. not triggercount or time limited) mode of operation. For example, an activationbutton or release code may be provided that permanently deactivates thedeactivation device such that the measurement probe operates from thatpoint forward as a standard measurement probe.

The above described embodiments all relate to measurement probeapparatus. It is, however, important to note that the same techniquescould be applied to a wide range of other measurement apparatus. Forexample, the technique may be applied to any dimensional measuringapparatus such as position encoder systems, co-ordinate measuringmachines, scanning apparatus etc. The techniques may also be used withnon-dimensional measuring apparatus such as spectroscopy kits.

Referring to FIG. 11, a Raman spectroscopy system is illustrated inwhich a Raman spectrometer 250 is interfaced to a computer 252. Thespectrometer 250 comprises a measurement unit 254 that is arranged toacquire, under the control of the computer 252, Raman spectra fromsamples 256 placed on a sample stage 258. The spectrometer 250 alsocomprises a deactivation device 260 that can prevent measurement databeing passed to the computer 252. The deactivation device 260 is linkedto an authentication module 261 comprising an authentication device 262and a secure memory 264 in which a secret key is held. An electricalcontact pad 266 for receiving an activation button 268 is also provided.The activation button 268 may be the same as that described withreference to FIG. 2, with the stored count value relating to measurementcounts rather than trigger counts.

In use, the activation button 268 storing a number of measurement countsis placed on the electrical contact pad 266. In the manner describedabove, the authentication module 261 of the spectrometer communicateswith the corresponding authentication module of the activation button268. If the activation button 268 is found to be authentic and alsoholds a non-zero measurement count, the deactivation unit 260 allowsnormal spectrometer operation. If the activation button 268 is notauthentic, or if it hold no measurement counts, the deactivation device260 prevents normal spectrometer operation. In this manner, aspectrometer can be provided which can perform a certain number ofmeasurements before a replacement activation button is required. Thenumber of counts provided on an activation button may be linked to thenumber of measurements that can be taken before recalibration orservicing of the device is necessary, thereby ensuring operation doesnot occur when the spectrometer may be out of calibration. As describedabove, a variant of the apparatus may be provided in which measurementcounts are uploaded to a secure memory store within the spectrometer.

It should be noted that herein the term “authentic” is used to describedevices that store the relevant secret key and does not necessarilyrelate to the origin of the manufactured device. In particular, theauthentication process may allow only certain models of measurementprobe to be paired with certain models of interface thereby preventingmeasurement probes and interfaces that are not designed to be operablewith one another being used in combination.

It should also be remembered that the examples described above withreference to the associated drawings are only examples of the presentinvention. A skilled person would be aware of the many alternatives andvariations of the above examples that would be possible. In particular,the various authentication modules, authentication devices, electronicmemories etc described above are illustrated as separate functionalblocks. These functions may be provided by discrete chips or circuits ormay be implemented as parts of a computer program running on a generalpurpose computing module. The above examples should thus be seen as inno way limiting the physical manner in which the invention isimplemented.

What is claimed is:
 1. A measurement probe system comprising ameasurement probe mountable to co-ordinate positioning apparatus, themeasurement probe having a measurement portion for measuring an object,comprising a deflectable stylus, wherein the measurement probe systemcomprises; a data transfer portion for receiving data from and/ortransmitting data to an associated unit, and an authentication modulefor verifying the authenticity of the associated unit.
 2. A measurementprobe system according to claim 1, wherein the authentication modulecomprises a processor that, in use, runs an encryption algorithm.
 3. Ameasurement probe system according to claim 2, wherein the encryptionalgorithm is a one-way hash algorithm.
 4. A measurement probe systemaccording to claim 1, wherein the authentication module comprises arandom data string generator.
 5. A measurement probe system according toclaim 1, wherein the authentication module comprises a secure memory forstoring a secret key.
 6. A measurement probe system according to claim5, wherein the authentication module verifies the authenticity of theassociated unit using a challenge and response process, wherein thechallenge and response process confirms that the associated unit holdsthe same secret key as the secure memory of the authentication modulewithout disclosing the secret key.
 7. A measurement probe systemaccording to claim 1, wherein the data transfer portion comprises atransmitter and/or a receiver for providing a wireless communicationslink with an associated unit.
 8. A measurement probe system according toclaim 1, wherein the data transfer portion comprises at least oneelectrical contact for providing a conductive electrical connection toan associated unit.
 9. A measurement probe system according to claim 1in which the measurement portion generates measurement data fortransmission to an associated unit by the data transfer portion, whereinthe data transfer portion only transmits the measurement data if theauthentication module has verified the presence of an authenticassociated unit.
 10. A measurement probe system according to claim 1,wherein an associated unit is arranged to transmit information relatingto measurement probe system operation, wherein said information is onlyacted upon by the measurement probe system if the authentication modulehas verified that the associated unit is authentic.
 11. A measurementprobe system according to claim 1, wherein the measurement portion ofthe measurement probe comprises a deflection measurement mechanism formeasuring deflection of the deflectable stylus.
 12. A measurement probesystem according to claim 1, further comprising at least one of a probeinterface, a numeric controller and a computer.
 13. A measurement kitcomprising a measurement probe system according to claim 1 and anassociated unit, wherein the associated unit stores information to betransmitted to the measurement probe system.
 14. A measurement kitcomprising a measurement probe system according to claim 1 and anassociated unit, wherein the associated unit comprises an interface forreceiving measurement data from the measurement probe system.
 15. Ameasurement probe for co-ordinate positioning apparatus, the measurementprobe comprising; a measurement device for generating measurement dataindicative of the position of at least one point on the surface of anobject; a communications device for communicating with a remote probeinterface; and an authentication device for determining if the remoteprobe interface is an authentic remote probe interface, wherein thecommunications device passes the measurement data to the remote probeinterface only when the authentication device has determined that theremote probe interface is an authentic remote probe interface.
 16. Ameasurement probe according to claim 15 wherein the authenticationdevice comprises a secure memory for storing a secret key, wherein theauthentication device determines the authenticity of a remote probeinterface using a challenge and response authentication process, thechallenge and response authentication process confirming that a remoteprobe interface holds the same secret key as is held in the securememory of the authentication module, wherein the challenge and responseauthentication process does not disclose the secret key.
 17. Ameasurement probe for co-ordinate positioning apparatus, the measurementprobe comprising; a measurement device for measuring an object; aninterface for providing a data connection with an associated datastorage unit, a communications device for receiving data from anassociated data storage unit connected to the interface, anauthentication device for determining if a data storage unit connectedto the interface is an authentic data storage unit; wherein data storedon a data storage unit connected to the interface is used by themeasurement probe only when the authentication device has determinedthat the data storage unit connected to the interface is an authenticdata storage unit.
 18. A measurement probe according to claim 17 whereinthe communications device receives data from an associated data storageunit that comprises at least one of a trigger count value, a probeoperation time value, a probe operating instruction and a firmwareupdate.
 19. A measurement probe according to claim 17 wherein theauthentication device comprises a secure memory for storing a secretkey, wherein the authentication device determines the authenticity of adata storage unit using a challenge and response authentication process,the challenge and response authentication process confirming that a datastorage unit holds the same secret key as is held in the secure memoryof the authentication module, wherein the challenge and responseauthentication process does not disclose the secret key.